Thursday, September 21, 2017

Normally I share these updates at the beginning of the month, but September has proven to be the busiest month since launch. Back in August the processing node engine saw a major re-write, resulting in a more modular programming interface, allowing for new analysis engines to be added with substantially less overhead. This month has been about applying this modular paradigm to the web application itself, both to the backend and web-interface.

The changes go well beyond simple code-restructuring and engine optimizations. September has been very focused on re-thinking the UI and making it significantly more intuitive to use.

Upload and search will be accessible from the home page.

The updates to the UI extends to every aspect of the new site. Both the analysis and analytics section can be prone to bugs and slow render times during times of high-load. One of the major goals with the new interface has therefore been around improving stability and decreasing load time, especially with legacy browsers.

In a previous update I played with the idea of a static version of the site. I've since abandoned this concept as it seemed rather redundant, and instead simply changed the way the analysis console is rendered. These pages will now be generated almost completely server-side, and allow linking down to the log level, rather than just to a PCAP.

Another major component of the analysis console that is getting an update is CrossSearch. CrossSearch allows users to find similar PCAPs by using indicators in the currently open log to locate similar PCAPs. With the update, CrossSearch will be removed in favor of a Similar Packet Captures tab. Rather than only using the current log to locate similar PCAPs the new view will use all fields within the PCAP to seed the search, dramatically increasing the accuracy of the algorithm.

Similar Packet Captures: Uses all fields within the current packet capture to locate PCAPs with common attributes.

As you can imagine, this view is incredibly powerful, and effectively allows the user to "search by PCAP." In the context of malicious packet-captures the Similar Packet Captures view is also useful for intuiting which indicators would be most useful for building a signature.

Another major component of the site that is getting a face-lift is the analytics section. Like the analysis console, you will be able to link directly down to the log level within the analytics view. In addition to being able to toggle the chart which best represents your data, every log will contain a Transactions Over Time view. Clicking on any point of this graph will show transactions which occurred during that timeframe.

These updates make up about half the changes planned for the release of PacketTotal 2.0 I will be making a second post early next month to cover the updates to the new search builder and the search UI, followed later that month by the release of PacketTotal 2.0!